ILike a firewall, StormWatch works through the configuration of a rule-set. Unlike traditional intrusion detection systems, StormWatch works at the application level, not the network level. Each application that StormWatch locks-down has a rule, or set of rules, associated with it. StormWatch does come bundled with a default set of rules, however, more rules can be added at any time for no additional cost.
StormWatch's rules are in essence, behavior rules that understand how the application they are safeguarding behaves. If an application typically writes new data to a particular file, a corresponding StormWatch rule will make sure that the data isn't written to other files, owned by other users or other applications. Hackers often use strategies which involve manipulating processes into writing data to incorrect files.
StormWatch works by installing intelligent agents on the systems targeted for application protection. A correlation engine that lives within the installed agents, makes decisions on whether the instruction an application receives is within standard behavioral guidelines or not. This is one of the elements of the product's INCORE (an acronym for Intercept, Correlate, Rules Engine) architecture, and is fundamental to the pro-active technique that StormWatch uses to protect applications from being lead astray.
If the proposed action is suspiciously unusual, for example, instructing the application to write to non-standard files, the rules that govern the application's behavior will prevent the unacceptable action from executing. In response to unacceptable behavior patterns, the StormWatch agent will begin a dialogue with a central management console that will begin further analysis of the offending file. The management console records the unacceptable activity, and if it finds similar reports of this unacceptable activity, it will update the other intelligent agents on the network of the impending threat.
The agents are able to prevent unauthorized modifications of the registry from taking place by intercepting system calls. The management console communicates with the agents through a secure encrypted SSL link making sure that the rules on the agent systems are always up to date. If a new rule is written, distributing it to other agent systems is for the most part automated. A test mode exists which allows administrators to test out new rules in action, before installing them on production systems.
The default rules that ship with StormWatch prevent inadvertent actions to your system caused by trojans, worms, viruses, buffer overflows, syn floods, and port scans. Writing a rule for a new or custom application requires knowledge of the application's files, executables, directories accessed, and ports accessed, which does require some knowledge and expertise. However, this process is not much different than the learning curve required in writing firewall rules.
StormWatch's rules are in essence, behavior rules that understand how the application they are safeguarding behaves. If an application typically writes new data to a particular file, a corresponding StormWatch rule will make sure that the data isn't written to other files, owned by other users or other applications. Hackers often use strategies which involve manipulating processes into writing data to incorrect files.
StormWatch works by installing intelligent agents on the systems targeted for application protection. A correlation engine that lives within the installed agents, makes decisions on whether the instruction an application receives is within standard behavioral guidelines or not. This is one of the elements of the product's INCORE (an acronym for Intercept, Correlate, Rules Engine) architecture, and is fundamental to the pro-active technique that StormWatch uses to protect applications from being lead astray.
If the proposed action is suspiciously unusual, for example, instructing the application to write to non-standard files, the rules that govern the application's behavior will prevent the unacceptable action from executing. In response to unacceptable behavior patterns, the StormWatch agent will begin a dialogue with a central management console that will begin further analysis of the offending file. The management console records the unacceptable activity, and if it finds similar reports of this unacceptable activity, it will update the other intelligent agents on the network of the impending threat.
The agents are able to prevent unauthorized modifications of the registry from taking place by intercepting system calls. The management console communicates with the agents through a secure encrypted SSL link making sure that the rules on the agent systems are always up to date. If a new rule is written, distributing it to other agent systems is for the most part automated. A test mode exists which allows administrators to test out new rules in action, before installing them on production systems.
The default rules that ship with StormWatch prevent inadvertent actions to your system caused by trojans, worms, viruses, buffer overflows, syn floods, and port scans. Writing a rule for a new or custom application requires knowledge of the application's files, executables, directories accessed, and ports accessed, which does require some knowledge and expertise. However, this process is not much different than the learning curve required in writing firewall rules.
| Product Information | |
| Product Names | Storm Watch |
| Platforms Supported | Windows NT/2000 |
| Product Scope | Financial Services Government agencies of all sizes Online businesses Organizations |
| Industry Focus | Internet Security Information Security Application Security Network security System security |
| Key Features | Central Management Console Server & Desktop agents |
No comments:
Post a Comment